Amplify and MTLS - How?

Question

Hello, ive gone through these AWS docs regarding securing API gatways using MTLS which have you create your own CA, cert, key, etc, sign it and then create the PEM that is used alongside the truststore for MTLS - https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/

That all works great... between my development laptop and my api gateway... Now im trying to get Amplify involved in the scenario.

I've read elsewhere in the AWS docs on a deep hunt one night Amplify is a service that MTLS can be used with.  The end goal is to protect a critical API that absolutely cannot withstand abuse.  MTLS seems like a good way to do this.

How excatly do I go about replicating the development machine steps that worked to lock down the gateway with Amplify instead of just my local machine?

Is the path through using this pem/key I created with my Amplify sites code(this is self signed isnt it?) or do I need to gather the Amplify sites truststore/key and use that? Not really clear on how to proceed. Thanks!

Answer

Considering your use case is to protect a critical API that absolutely cannot withstand abuse, you may want to take a look at integrating AWS WAF with Amplify. Sample code can be found here -->  [https://github.com/aws-samples/aws-cdk-amplify-with-waf](https://github.com/aws-samples/aws-cdk-amplify-with-waf).

However, you can override the API resources that are created by Amplify, you should be able to configure with mTLS but not 100% certain. Amplify uses AWS CDK to create resources.  --> [https://docs.amplify.aws/cli/restapi/override/](https://docs.amplify.aws/cli/restapi/override/).

Hopes this helps.

Amplify and MTLS - How?

관련 콘텐츠